Since the Sept. 11 attacks, it has become much harder to tour the White House, but how safe is the new system at the president's home?

Advertisement

Forum: Talk About This Story

WBAL TV 11 News I-Team reporter Deborah Weiner exposed a flaw in the system that could make visitors a target of identity theft.

The White House is possibly one of the most guarded tourist attractions in the country -- if not the world.

But it took only a 19-year-old college sophomore to raise security questions about what it takes to visit the president's home.

"It's almost as if the thought has never crossed their mind that this could lead to identity theft or other big issues," said Heidi Davis, a student at American University.

The issue first came to light when Davis, a Mount Airy native, said she began to arrange a tour of the White House. Protocol requires visitors first contact a congressional representative. Davis said she sent a letter to the office of Maryland Sen. Ben Cardin.

But she said she was floored when Cardin's office asked her to e-mail the full name, date of birth and Social Security numbers of everyone in her group in a spreadsheet attachment called a CSV file. Capitol Hill staffers would then forward that to the White House for a background check.

Davis said that she had just learned in Personal Finance 101 about the dangers of sending personal data that way.

"We're living in a different world today, where every day you hear of someone's security being threatened," she said.

Davis' uncle, Gary Davis, was also supposed to take the group tour but refused to e-mail his personal data. As the chief information officer for Carroll County public schools, he said the reason was simple.

"E-mail is about as secure as if you wrote your Social Security number on a post card and put it in the mailbox. E-mail is a very nonsecure method of data transmission," Gary Davis said.

But when Weiner started asking questions, all she got was finger-pointing and no one taking responsibility for putting visitors' private information at risk.

In a written statement, a spokesperson for Cardin's office said that they have similar concerns about sharing sensitive information, but added that the White House requires it be supplied through an electronic process, Weiner said. Because of the volume of people and information, Cardin's office advised constituents to e-mail the information on a spreadsheet.

It is essentially the same system at Sen. Barbara Mikulski's office and at all congressional offices, Weiner reported.

To find out how vulnerable the CSV file is, the I-Team enlisted the help of Johns Hopkins University Ph.D. candidate Sam Small, who specializes in system and computer network security.

Using Small's wireless network and an I-Team laptop, Weiner sent an e-mail from a fictional person named Maggie Smith to an I-Team producer. She attached a CSV file, complete with bogus personal data.

From his computer, Small sniffed all wireless traffic, and within minutes found Weiner's e-mail and read it. Remember -- Weiner was using the same file that members of Congress suggest constituents use to send their personal data for the White House security check.

"Even though I'm a Ph.D. student, high school students can do this, as well," Small said. "I don't have any special programs. Everything I did was free and easy."

Weiner asked him, "If you had to grade the system, what would you give it?"

Rubin responded, "I would give it an incomplete, if I was generous. The government's role in identity theft should be to protect people against identity theft. It seems that, unwittingly, they've created a system that is going to increase the likelihood of identity theft."

A White House spokesman said that the problem was an issue "for Congress to handle" adding that the avenue of transmission from Capitol Hill to the White House is a secure pipeline. From Capitol Hill, the I-Team got a sense that hands were tied on the issue, Weiner said.

As for Gary Davis, he said he believes the White House should have a secure protocol from beginning to end, and until it does, he'll have to settle for a video tour.

Rubin said he suggests potential visitors fax information to the Capitol instead. That was something some congressional offices told the I-Team they were willing to accept.